The Generic Security Service Application Program Interface (GSSAPI, also GSS- API) is an . Sun Microsystems (). “GSS-API Programming Guide”. The GSSAPI (Generic Security Services API) allows applications to communicate securely using Kerberos 5 or other security mechanisms. We recommend. The Secure Shell protocol supports Kerberos authentication via GSSAPI (Generic Security Services Application Programming Interface). Advantages of using.
|Published (Last):||7 December 2006|
|PDF File Size:||4.75 Mb|
|ePub File Size:||19.65 Mb|
|Price:||Free* [*Free Regsitration Required]|
Integration Strategies, Patterns, and Best Practices. DATA buffers must be provided in the iov list so that padding length can be computed correctly, but the output buffers need not be initialized.
Operating system security Internet Standards. As above, but the value is a decimal string representation of the uid. I dont know if the windows domain login is enabled for pkinit. Sign up or log in Sign up using Google.
GSS-API Programming Guide
Because of this, a serialized krb5 credential can only be imported by a process with similar privileges to the exporter. Sign up using Email and Password.
Are you going to do programming this is not clear form your question? The client and server sides of the application are written to convey the tokens given to them by their respective GSSAPI implementations.
Generic Security Services Application Program Interface
University of Bamberg Press. The value should be a principal name string. The only guides I’ve found so far are very low-level protocol descriptions or server configuration guides for admins Probably you are looking for kerberos with pkinit support. Contents previous next index Search feedback. If the default credential cache does not exist, but the default client keytab does, the krb5 mechanism will try to acquire initial tickets for the first principal in the default client keytab.
Articles lacking in-text citations from October All articles lacking in-text citations Pages using RFC magic links. Instead, security-service vendors provide GSSAPI implementations – usually in the form of libraries installed with their security software.
If no existing tickets are available for the desired name, gsspai the name has an entry in the default client keytabthe krb5 mechanism will acquire initial tickets for the name using the default client keytab.
This article includes a list of referencesrelated reading or external linksbut its sources remain unclear because it lacks inline citations.
In this case, the contents of the credential cache are serialized, so that the resulting token may be imported even if the original memory credential cache no longer exists. Do you know if this is a krb library-specific thing, or can putty somehow use this too? Email Required, but never shown. The definitive feature of GSSAPI gssali is the exchange of opaque messages tokens which hide the implementation detail from the higher-level application.
Putty uses this TGT and gets a service ticket and proceed, so a simple kerberos enabled putty is sufficient. On Unix-like systems, the username of the uid is looked up in the system user database and the resulting username is parsed as a principal name.
If a hostname is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the rdns variable in [libdefaults]. Note In MIT krb5 versions prior to 1. The application must pad the DATA buffer to a multiple of 16 bytes as no padding or trailer buffer is used.
As with other GSSAPI serialization functions, these extensions are only intended to work with a matching implementation on the other side; they do not serialize credentials in a standardized format. This page was last edited on 25 Januaryat Please help to improve this guiide by introducing more precise citations. The memory pointed to by the buffers is not required to be contiguous or in any particular order.
Kerberos (GSSAPI) Authentication